--- /dev/null
+From d8e9b2b9097c117880dc22933239d05199c60b96 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 20 Feb 2017 14:58:25 +0100
+Subject: drm/i915/gvt: Fix superfluous newline in GVT_DISPLAY_READY env var
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d8e9b2b9097c117880dc22933239d05199c60b96 upstream.
+
+send_display_send_uevent() sends two environment variable, and the
+first one GVT_DISPLAY_READY is set including a new line at the end of
+the string; that is obviously superfluous and wrong -- at least, it
+*looks* so when you only read the code.
+
+However, it doesn't appear in the actual output by a (supposedly
+unexpected) trick. The code uses snprintf() and truncates the string
+in size 20 bytes. This makes the string as GVT_DISPLAY_READY=0 or
+...=1 including the trailing NUL-letter. That is, the '\n' found in
+the format string is always cut off as a result.
+
+Although the code gives the correct result, it is confusing. This
+patch addresses it, just removing the superfluous '\n' from the format
+string for avoiding further confusion. If the argument "ready" were
+not a bool, the size 20 should be corrected as well. But it's a
+bool, so we can leave the magic number 20 as is for now.
+
+FWIW, the bug was spotted by a new GCC7 warning:
+ drivers/gpu/drm/i915/gvt/handlers.c: In function 'pvinfo_mmio_write':
+ drivers/gpu/drm/i915/gvt/handlers.c:1042:34: error: 'snprintf' output truncated before the last format character [-Werror=format-truncation=]
+ snprintf(display_ready_str, 20, "GVT_DISPLAY_READY=%d\n", ready);
+ ^~~~~~~~~~~~~~~~~~~~~~~~
+ drivers/gpu/drm/i915/gvt/handlers.c:1042:2: note: 'snprintf' output 21 bytes into a destination of size 20
+ snprintf(display_ready_str, 20, "GVT_DISPLAY_READY=%d\n", ready);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Fixes: 04d348ae3f0a ("drm/i915/gvt: vGPU display virtualization")
+Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1025903
+Reported-by: Richard Biener <rguenther@suse.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/gvt/handlers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/gvt/handlers.c
++++ b/drivers/gpu/drm/i915/gvt/handlers.c
+@@ -1039,7 +1039,7 @@ static int send_display_ready_uevent(str
+ char vmid_str[20];
+ char display_ready_str[20];
+
+- snprintf(display_ready_str, 20, "GVT_DISPLAY_READY=%d\n", ready);
++ snprintf(display_ready_str, 20, "GVT_DISPLAY_READY=%d", ready);
+ env[0] = display_ready_str;
+
+ snprintf(vmid_str, 20, "VMID=%d", vgpu->id);
--- /dev/null
+From 606142af57dad981b78707234cfbd15f9f7b7125 Mon Sep 17 00:00:00 2001
+From: Jonathan McDowell <noodles@earth.li>
+Date: Wed, 15 Feb 2017 18:29:15 -0200
+Subject: [media] dw2102: don't do DMA on stack
+
+From: Jonathan McDowell <noodles@earth.li>
+
+commit 606142af57dad981b78707234cfbd15f9f7b7125 upstream.
+
+On Kernel 4.9, WARNINGs about doing DMA on stack are hit at
+the dw2102 driver: one in su3000_power_ctrl() and the other in tt_s2_4600_frontend_attach().
+
+Both were due to the use of buffers on the stack as parameters to
+dvb_usb_generic_rw() and the resulting attempt to do DMA with them.
+
+The device was non-functional as a result.
+
+So, switch this driver over to use a buffer within the device state
+structure, as has been done with other DVB-USB drivers.
+
+Tested with TechnoTrend TT-connect S2-4600.
+
+[mchehab@osg.samsung.com: fixed a warning at su3000_i2c_transfer() that
+ state var were dereferenced before check 'd']
+Signed-off-by: Jonathan McDowell <noodles@earth.li>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/dw2102.c | 242 ++++++++++++++++++++++---------------
+ 1 file changed, 144 insertions(+), 98 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/dw2102.c
++++ b/drivers/media/usb/dvb-usb/dw2102.c
+@@ -68,6 +68,7 @@
+ struct dw2102_state {
+ u8 initialized;
+ u8 last_lock;
++ u8 data[MAX_XFER_SIZE + 4];
+ struct i2c_client *i2c_client_demod;
+ struct i2c_client *i2c_client_tuner;
+
+@@ -661,62 +662,72 @@ static int su3000_i2c_transfer(struct i2
+ int num)
+ {
+ struct dvb_usb_device *d = i2c_get_adapdata(adap);
+- u8 obuf[0x40], ibuf[0x40];
++ struct dw2102_state *state;
+
+ if (!d)
+ return -ENODEV;
++
++ state = d->priv;
++
+ if (mutex_lock_interruptible(&d->i2c_mutex) < 0)
+ return -EAGAIN;
++ if (mutex_lock_interruptible(&d->data_mutex) < 0) {
++ mutex_unlock(&d->i2c_mutex);
++ return -EAGAIN;
++ }
+
+ switch (num) {
+ case 1:
+ switch (msg[0].addr) {
+ case SU3000_STREAM_CTRL:
+- obuf[0] = msg[0].buf[0] + 0x36;
+- obuf[1] = 3;
+- obuf[2] = 0;
+- if (dvb_usb_generic_rw(d, obuf, 3, ibuf, 0, 0) < 0)
++ state->data[0] = msg[0].buf[0] + 0x36;
++ state->data[1] = 3;
++ state->data[2] = 0;
++ if (dvb_usb_generic_rw(d, state->data, 3,
++ state->data, 0, 0) < 0)
+ err("i2c transfer failed.");
+ break;
+ case DW2102_RC_QUERY:
+- obuf[0] = 0x10;
+- if (dvb_usb_generic_rw(d, obuf, 1, ibuf, 2, 0) < 0)
++ state->data[0] = 0x10;
++ if (dvb_usb_generic_rw(d, state->data, 1,
++ state->data, 2, 0) < 0)
+ err("i2c transfer failed.");
+- msg[0].buf[1] = ibuf[0];
+- msg[0].buf[0] = ibuf[1];
++ msg[0].buf[1] = state->data[0];
++ msg[0].buf[0] = state->data[1];
+ break;
+ default:
+ /* always i2c write*/
+- obuf[0] = 0x08;
+- obuf[1] = msg[0].addr;
+- obuf[2] = msg[0].len;
++ state->data[0] = 0x08;
++ state->data[1] = msg[0].addr;
++ state->data[2] = msg[0].len;
+
+- memcpy(&obuf[3], msg[0].buf, msg[0].len);
++ memcpy(&state->data[3], msg[0].buf, msg[0].len);
+
+- if (dvb_usb_generic_rw(d, obuf, msg[0].len + 3,
+- ibuf, 1, 0) < 0)
++ if (dvb_usb_generic_rw(d, state->data, msg[0].len + 3,
++ state->data, 1, 0) < 0)
+ err("i2c transfer failed.");
+
+ }
+ break;
+ case 2:
+ /* always i2c read */
+- obuf[0] = 0x09;
+- obuf[1] = msg[0].len;
+- obuf[2] = msg[1].len;
+- obuf[3] = msg[0].addr;
+- memcpy(&obuf[4], msg[0].buf, msg[0].len);
++ state->data[0] = 0x09;
++ state->data[1] = msg[0].len;
++ state->data[2] = msg[1].len;
++ state->data[3] = msg[0].addr;
++ memcpy(&state->data[4], msg[0].buf, msg[0].len);
+
+- if (dvb_usb_generic_rw(d, obuf, msg[0].len + 4,
+- ibuf, msg[1].len + 1, 0) < 0)
++ if (dvb_usb_generic_rw(d, state->data, msg[0].len + 4,
++ state->data, msg[1].len + 1, 0) < 0)
+ err("i2c transfer failed.");
+
+- memcpy(msg[1].buf, &ibuf[1], msg[1].len);
++ memcpy(msg[1].buf, &state->data[1], msg[1].len);
+ break;
+ default:
+ warn("more than 2 i2c messages at a time is not handled yet.");
+ break;
+ }
++ mutex_unlock(&d->data_mutex);
+ mutex_unlock(&d->i2c_mutex);
+ return num;
+ }
+@@ -844,17 +855,23 @@ static int su3000_streaming_ctrl(struct
+ static int su3000_power_ctrl(struct dvb_usb_device *d, int i)
+ {
+ struct dw2102_state *state = (struct dw2102_state *)d->priv;
+- u8 obuf[] = {0xde, 0};
++ int ret = 0;
+
+ info("%s: %d, initialized %d", __func__, i, state->initialized);
+
+ if (i && !state->initialized) {
++ mutex_lock(&d->data_mutex);
++
++ state->data[0] = 0xde;
++ state->data[1] = 0;
++
+ state->initialized = 1;
+ /* reset board */
+- return dvb_usb_generic_rw(d, obuf, 2, NULL, 0, 0);
++ ret = dvb_usb_generic_rw(d, state->data, 2, NULL, 0, 0);
++ mutex_unlock(&d->data_mutex);
+ }
+
+- return 0;
++ return ret;
+ }
+
+ static int su3000_read_mac_address(struct dvb_usb_device *d, u8 mac[6])
+@@ -1309,49 +1326,57 @@ static int prof_7500_frontend_attach(str
+ return 0;
+ }
+
+-static int su3000_frontend_attach(struct dvb_usb_adapter *d)
++static int su3000_frontend_attach(struct dvb_usb_adapter *adap)
+ {
+- u8 obuf[3] = { 0xe, 0x80, 0 };
+- u8 ibuf[] = { 0 };
++ struct dvb_usb_device *d = adap->dev;
++ struct dw2102_state *state = d->priv;
++
++ mutex_lock(&d->data_mutex);
+
+- if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0)
++ state->data[0] = 0xe;
++ state->data[1] = 0x80;
++ state->data[2] = 0;
++
++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0)
+ err("command 0x0e transfer failed.");
+
+- obuf[0] = 0xe;
+- obuf[1] = 0x02;
+- obuf[2] = 1;
++ state->data[0] = 0xe;
++ state->data[1] = 0x02;
++ state->data[2] = 1;
+
+- if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0)
++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0)
+ err("command 0x0e transfer failed.");
+ msleep(300);
+
+- obuf[0] = 0xe;
+- obuf[1] = 0x83;
+- obuf[2] = 0;
++ state->data[0] = 0xe;
++ state->data[1] = 0x83;
++ state->data[2] = 0;
+
+- if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0)
++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0)
+ err("command 0x0e transfer failed.");
+
+- obuf[0] = 0xe;
+- obuf[1] = 0x83;
+- obuf[2] = 1;
++ state->data[0] = 0xe;
++ state->data[1] = 0x83;
++ state->data[2] = 1;
+
+- if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0)
++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0)
+ err("command 0x0e transfer failed.");
+
+- obuf[0] = 0x51;
++ state->data[0] = 0x51;
+
+- if (dvb_usb_generic_rw(d->dev, obuf, 1, ibuf, 1, 0) < 0)
++ if (dvb_usb_generic_rw(d, state->data, 1, state->data, 1, 0) < 0)
+ err("command 0x51 transfer failed.");
+
+- d->fe_adap[0].fe = dvb_attach(ds3000_attach, &su3000_ds3000_config,
+- &d->dev->i2c_adap);
+- if (d->fe_adap[0].fe == NULL)
++ mutex_unlock(&d->data_mutex);
++
++ adap->fe_adap[0].fe = dvb_attach(ds3000_attach, &su3000_ds3000_config,
++ &d->i2c_adap);
++ if (adap->fe_adap[0].fe == NULL)
+ return -EIO;
+
+- if (dvb_attach(ts2020_attach, d->fe_adap[0].fe,
++ if (dvb_attach(ts2020_attach, adap->fe_adap[0].fe,
+ &dw2104_ts2020_config,
+- &d->dev->i2c_adap)) {
++ &d->i2c_adap)) {
+ info("Attached DS3000/TS2020!");
+ return 0;
+ }
+@@ -1360,47 +1385,55 @@ static int su3000_frontend_attach(struct
+ return -EIO;
+ }
+
+-static int t220_frontend_attach(struct dvb_usb_adapter *d)
++static int t220_frontend_attach(struct dvb_usb_adapter *adap)
+ {
+- u8 obuf[3] = { 0xe, 0x87, 0 };
+- u8 ibuf[] = { 0 };
++ struct dvb_usb_device *d = adap->dev;
++ struct dw2102_state *state = d->priv;
++
++ mutex_lock(&d->data_mutex);
+
+- if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0)
++ state->data[0] = 0xe;
++ state->data[1] = 0x87;
++ state->data[2] = 0x0;
++
++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0)
+ err("command 0x0e transfer failed.");
+
+- obuf[0] = 0xe;
+- obuf[1] = 0x86;
+- obuf[2] = 1;
++ state->data[0] = 0xe;
++ state->data[1] = 0x86;
++ state->data[2] = 1;
+
+- if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0)
++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0)
+ err("command 0x0e transfer failed.");
+
+- obuf[0] = 0xe;
+- obuf[1] = 0x80;
+- obuf[2] = 0;
++ state->data[0] = 0xe;
++ state->data[1] = 0x80;
++ state->data[2] = 0;
+
+- if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0)
++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0)
+ err("command 0x0e transfer failed.");
+
+ msleep(50);
+
+- obuf[0] = 0xe;
+- obuf[1] = 0x80;
+- obuf[2] = 1;
++ state->data[0] = 0xe;
++ state->data[1] = 0x80;
++ state->data[2] = 1;
+
+- if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0)
++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0)
+ err("command 0x0e transfer failed.");
+
+- obuf[0] = 0x51;
++ state->data[0] = 0x51;
+
+- if (dvb_usb_generic_rw(d->dev, obuf, 1, ibuf, 1, 0) < 0)
++ if (dvb_usb_generic_rw(d, state->data, 1, state->data, 1, 0) < 0)
+ err("command 0x51 transfer failed.");
+
+- d->fe_adap[0].fe = dvb_attach(cxd2820r_attach, &cxd2820r_config,
+- &d->dev->i2c_adap, NULL);
+- if (d->fe_adap[0].fe != NULL) {
+- if (dvb_attach(tda18271_attach, d->fe_adap[0].fe, 0x60,
+- &d->dev->i2c_adap, &tda18271_config)) {
++ mutex_unlock(&d->data_mutex);
++
++ adap->fe_adap[0].fe = dvb_attach(cxd2820r_attach, &cxd2820r_config,
++ &d->i2c_adap, NULL);
++ if (adap->fe_adap[0].fe != NULL) {
++ if (dvb_attach(tda18271_attach, adap->fe_adap[0].fe, 0x60,
++ &d->i2c_adap, &tda18271_config)) {
+ info("Attached TDA18271HD/CXD2820R!");
+ return 0;
+ }
+@@ -1410,23 +1443,30 @@ static int t220_frontend_attach(struct d
+ return -EIO;
+ }
+
+-static int m88rs2000_frontend_attach(struct dvb_usb_adapter *d)
++static int m88rs2000_frontend_attach(struct dvb_usb_adapter *adap)
+ {
+- u8 obuf[] = { 0x51 };
+- u8 ibuf[] = { 0 };
++ struct dvb_usb_device *d = adap->dev;
++ struct dw2102_state *state = d->priv;
++
++ mutex_lock(&d->data_mutex);
+
+- if (dvb_usb_generic_rw(d->dev, obuf, 1, ibuf, 1, 0) < 0)
++ state->data[0] = 0x51;
++
++ if (dvb_usb_generic_rw(d, state->data, 1, state->data, 1, 0) < 0)
+ err("command 0x51 transfer failed.");
+
+- d->fe_adap[0].fe = dvb_attach(m88rs2000_attach, &s421_m88rs2000_config,
+- &d->dev->i2c_adap);
++ mutex_unlock(&d->data_mutex);
+
+- if (d->fe_adap[0].fe == NULL)
++ adap->fe_adap[0].fe = dvb_attach(m88rs2000_attach,
++ &s421_m88rs2000_config,
++ &d->i2c_adap);
++
++ if (adap->fe_adap[0].fe == NULL)
+ return -EIO;
+
+- if (dvb_attach(ts2020_attach, d->fe_adap[0].fe,
++ if (dvb_attach(ts2020_attach, adap->fe_adap[0].fe,
+ &dw2104_ts2020_config,
+- &d->dev->i2c_adap)) {
++ &d->i2c_adap)) {
+ info("Attached RS2000/TS2020!");
+ return 0;
+ }
+@@ -1439,44 +1479,50 @@ static int tt_s2_4600_frontend_attach(st
+ {
+ struct dvb_usb_device *d = adap->dev;
+ struct dw2102_state *state = d->priv;
+- u8 obuf[3] = { 0xe, 0x80, 0 };
+- u8 ibuf[] = { 0 };
+ struct i2c_adapter *i2c_adapter;
+ struct i2c_client *client;
+ struct i2c_board_info board_info;
+ struct m88ds3103_platform_data m88ds3103_pdata = {};
+ struct ts2020_config ts2020_config = {};
+
+- if (dvb_usb_generic_rw(d, obuf, 3, ibuf, 1, 0) < 0)
++ mutex_lock(&d->data_mutex);
++
++ state->data[0] = 0xe;
++ state->data[1] = 0x80;
++ state->data[2] = 0x0;
++
++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0)
+ err("command 0x0e transfer failed.");
+
+- obuf[0] = 0xe;
+- obuf[1] = 0x02;
+- obuf[2] = 1;
++ state->data[0] = 0xe;
++ state->data[1] = 0x02;
++ state->data[2] = 1;
+
+- if (dvb_usb_generic_rw(d, obuf, 3, ibuf, 1, 0) < 0)
++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0)
+ err("command 0x0e transfer failed.");
+ msleep(300);
+
+- obuf[0] = 0xe;
+- obuf[1] = 0x83;
+- obuf[2] = 0;
++ state->data[0] = 0xe;
++ state->data[1] = 0x83;
++ state->data[2] = 0;
+
+- if (dvb_usb_generic_rw(d, obuf, 3, ibuf, 1, 0) < 0)
++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0)
+ err("command 0x0e transfer failed.");
+
+- obuf[0] = 0xe;
+- obuf[1] = 0x83;
+- obuf[2] = 1;
++ state->data[0] = 0xe;
++ state->data[1] = 0x83;
++ state->data[2] = 1;
+
+- if (dvb_usb_generic_rw(d, obuf, 3, ibuf, 1, 0) < 0)
++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0)
+ err("command 0x0e transfer failed.");
+
+- obuf[0] = 0x51;
++ state->data[0] = 0x51;
+
+- if (dvb_usb_generic_rw(d, obuf, 1, ibuf, 1, 0) < 0)
++ if (dvb_usb_generic_rw(d, state->data, 1, state->data, 1, 0) < 0)
+ err("command 0x51 transfer failed.");
+
++ mutex_unlock(&d->data_mutex);
++
+ /* attach demod */
+ m88ds3103_pdata.clk = 27000000;
+ m88ds3103_pdata.i2c_wr_max = 33;
--- /dev/null
+From d1eb98143c56f24fef125f5bbed49ae0b52fb7d6 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 1 Mar 2017 19:05:54 +0000
+Subject: efi/arm: Fix boot crash with CONFIG_CPUMASK_OFFSTACK=y
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+commit d1eb98143c56f24fef125f5bbed49ae0b52fb7d6 upstream.
+
+On ARM and arm64, we use a dedicated mm_struct to map the UEFI
+Runtime Services regions, which allows us to map those regions
+on demand, and in a way that is guaranteed to be compatible
+with incoming kernels across kexec.
+
+As it turns out, we don't fully initialize the mm_struct in the
+same way as process mm_structs are initialized on fork(), which
+results in the following crash on ARM if CONFIG_CPUMASK_OFFSTACK=y
+is enabled:
+
+ ...
+ EFI Variables Facility v0.08 2004-May-17
+ Unable to handle kernel NULL pointer dereference at virtual address 00000000
+ [...]
+ Process swapper/0 (pid: 1)
+ ...
+ __memzero()
+ check_and_switch_context()
+ virt_efi_get_next_variable()
+ efivar_init()
+ efivars_sysfs_init()
+ do_one_initcall()
+ ...
+
+This is due to a missing call to mm_init_cpumask(), so add it.
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/1488395154-29786-1-git-send-email-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/efi/arm-runtime.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/firmware/efi/arm-runtime.c
++++ b/drivers/firmware/efi/arm-runtime.c
+@@ -65,6 +65,7 @@ static bool __init efi_virtmap_init(void
+ bool systab_found;
+
+ efi_mm.pgd = pgd_alloc(&efi_mm);
++ mm_init_cpumask(&efi_mm);
+ init_new_context(NULL, &efi_mm);
+
+ systab_found = false;
--- /dev/null
+From 2e1e4949f9dfb053122785cd73540bb1e61f768b Mon Sep 17 00:00:00 2001
+From: Qi Hou <qi.hou@windriver.com>
+Date: Fri, 3 Mar 2017 15:57:11 +0800
+Subject: i2c: add missing of_node_put in i2c_mux_del_adapters
+
+From: Qi Hou <qi.hou@windriver.com>
+
+commit 2e1e4949f9dfb053122785cd73540bb1e61f768b upstream.
+
+Refcount of of_node is increased with of_node_get() in i2c_mux_add_adapter().
+It must be decreased with of_node_put() in i2c_mux_del_adapters().
+
+Signed-off-by: Qi Hou <qi.hou@windriver.com>
+Reviewed-by: Zhang Xiao <xiao.zhang@windriver.com>
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/i2c-mux.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/i2c/i2c-mux.c
++++ b/drivers/i2c/i2c-mux.c
+@@ -429,6 +429,7 @@ void i2c_mux_del_adapters(struct i2c_mux
+ while (muxc->num_adapters) {
+ struct i2c_adapter *adap = muxc->adapter[--muxc->num_adapters];
+ struct i2c_mux_priv *priv = adap->algo_data;
++ struct device_node *np = adap->dev.of_node;
+
+ muxc->adapter[muxc->num_adapters] = NULL;
+
+@@ -438,6 +439,7 @@ void i2c_mux_del_adapters(struct i2c_mux
+
+ sysfs_remove_link(&priv->adap.dev.kobj, "mux_device");
+ i2c_del_adapter(adap);
++ of_node_put(np);
+ kfree(priv);
+ }
+ }
--- /dev/null
+From ababb08938df7ac245d30a58b95b94ecf8dc04fc Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Thu, 16 Feb 2017 21:20:45 +0000
+Subject: i2c: bcm2835: Avoid possible NULL ptr dereference
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+commit ababb08938df7ac245d30a58b95b94ecf8dc04fc upstream.
+
+Since commit e2474541032d ("bcm2835: Fix hang for writing messages
+larger than 16 bytes") the interrupt handler is prone to a possible
+NULL pointer dereference. This could happen if an interrupt fires
+before curr_msg is set by bcm2835_i2c_xfer_msg() and randomly occurs
+on the RPi 3. Even this is an unexpected behavior the driver must
+handle that with an error instead of a crash.
+
+Reported-by: Peter Robinson <pbrobinson@gmail.com>
+Fixes: e2474541032d ("bcm2835: Fix hang for writing messages larger than 16 bytes")
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Acked-by: Noralf Trønnes <noralf@tronnes.org>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-bcm2835.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-bcm2835.c
++++ b/drivers/i2c/busses/i2c-bcm2835.c
+@@ -195,7 +195,9 @@ static irqreturn_t bcm2835_i2c_isr(int t
+ }
+
+ if (val & BCM2835_I2C_S_DONE) {
+- if (i2c_dev->curr_msg->flags & I2C_M_RD) {
++ if (!i2c_dev->curr_msg) {
++ dev_err(i2c_dev->dev, "Got unexpected interrupt (from firmware?)\n");
++ } else if (i2c_dev->curr_msg->flags & I2C_M_RD) {
+ bcm2835_drain_rxfifo(i2c_dev);
+ val = bcm2835_i2c_readl(i2c_dev, BCM2835_I2C_S);
+ }
--- /dev/null
+From 370a0ec1819990f8e2a93df7cc9c0146980ed45f Mon Sep 17 00:00:00 2001
+From: Jintack Lim <jintack@cs.columbia.edu>
+Date: Mon, 6 Mar 2017 05:42:37 -0800
+Subject: KVM: arm/arm64: Let vcpu thread modify its own active state
+
+From: Jintack Lim <jintack@cs.columbia.edu>
+
+commit 370a0ec1819990f8e2a93df7cc9c0146980ed45f upstream.
+
+Currently, if a vcpu thread tries to change the active state of an
+interrupt which is already on the same vcpu's AP list, it will loop
+forever. Since the VGIC mmio handler is called after a vcpu has
+already synced back the LR state to the struct vgic_irq, we can just
+let it proceed safely.
+
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Jintack Lim <jintack@cs.columbia.edu>
+Signed-off-by: Christoffer Dall <cdall@linaro.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/vgic/vgic-mmio.c | 32 ++++++++++++++++++++++++--------
+ 1 file changed, 24 insertions(+), 8 deletions(-)
+
+--- a/virt/kvm/arm/vgic/vgic-mmio.c
++++ b/virt/kvm/arm/vgic/vgic-mmio.c
+@@ -187,21 +187,37 @@ unsigned long vgic_mmio_read_active(stru
+ static void vgic_mmio_change_active(struct kvm_vcpu *vcpu, struct vgic_irq *irq,
+ bool new_active_state)
+ {
++ struct kvm_vcpu *requester_vcpu;
+ spin_lock(&irq->irq_lock);
++
++ /*
++ * The vcpu parameter here can mean multiple things depending on how
++ * this function is called; when handling a trap from the kernel it
++ * depends on the GIC version, and these functions are also called as
++ * part of save/restore from userspace.
++ *
++ * Therefore, we have to figure out the requester in a reliable way.
++ *
++ * When accessing VGIC state from user space, the requester_vcpu is
++ * NULL, which is fine, because we guarantee that no VCPUs are running
++ * when accessing VGIC state from user space so irq->vcpu->cpu is
++ * always -1.
++ */
++ requester_vcpu = kvm_arm_get_running_vcpu();
++
+ /*
+ * If this virtual IRQ was written into a list register, we
+ * have to make sure the CPU that runs the VCPU thread has
+- * synced back LR state to the struct vgic_irq. We can only
+- * know this for sure, when either this irq is not assigned to
+- * anyone's AP list anymore, or the VCPU thread is not
+- * running on any CPUs.
++ * synced back the LR state to the struct vgic_irq.
+ *
+- * In the opposite case, we know the VCPU thread may be on its
+- * way back from the guest and still has to sync back this
+- * IRQ, so we release and re-acquire the spin_lock to let the
+- * other thread sync back the IRQ.
++ * As long as the conditions below are true, we know the VCPU thread
++ * may be on its way back from the guest (we kicked the VCPU thread in
++ * vgic_change_active_prepare) and still has to sync back this IRQ,
++ * so we release and re-acquire the spin_lock to let the other thread
++ * sync back the IRQ.
+ */
+ while (irq->vcpu && /* IRQ may have state in an LR somewhere */
++ irq->vcpu != requester_vcpu && /* Current thread is not the VCPU thread */
+ irq->vcpu->cpu != -1) /* VCPU thread is running */
+ cond_resched_lock(&irq->irq_lock);
+
--- /dev/null
+From 2e4d88009f57057df7672fa69a32b5224af54d37 Mon Sep 17 00:00:00 2001
+From: Janosch Frank <frankja@linux.vnet.ibm.com>
+Date: Thu, 2 Mar 2017 15:23:42 +0100
+Subject: KVM: s390: Fix guest migration for huge guests resulting in panic
+
+From: Janosch Frank <frankja@linux.vnet.ibm.com>
+
+commit 2e4d88009f57057df7672fa69a32b5224af54d37 upstream.
+
+While we can technically not run huge page guests right now, we can
+setup a guest with huge pages. Trying to migrate it will trigger a
+VM_BUG_ON and, if the kernel is not configured to panic on a BUG, it
+will happily try to work on non-existing page table entries.
+
+With this patch, we always return "dirty" if we encounter a large page
+when migrating. This at least fixes the immediate problem until we
+have proper handling for both kind of pages.
+
+Fixes: 15f36eb ("KVM: s390: Add proper dirty bitmap support to S390 kvm.")
+Signed-off-by: Janosch Frank <frankja@linux.vnet.ibm.com>
+Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/mm/pgtable.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/mm/pgtable.c
++++ b/arch/s390/mm/pgtable.c
+@@ -606,12 +606,29 @@ void ptep_zap_key(struct mm_struct *mm,
+ bool test_and_clear_guest_dirty(struct mm_struct *mm, unsigned long addr)
+ {
+ spinlock_t *ptl;
++ pgd_t *pgd;
++ pud_t *pud;
++ pmd_t *pmd;
+ pgste_t pgste;
+ pte_t *ptep;
+ pte_t pte;
+ bool dirty;
+
+- ptep = get_locked_pte(mm, addr, &ptl);
++ pgd = pgd_offset(mm, addr);
++ pud = pud_alloc(mm, pgd, addr);
++ if (!pud)
++ return false;
++ pmd = pmd_alloc(mm, pud, addr);
++ if (!pmd)
++ return false;
++ /* We can't run guests backed by huge pages, but userspace can
++ * still set them up and then try to migrate them without any
++ * migration support.
++ */
++ if (pmd_large(*pmd))
++ return true;
++
++ ptep = pte_alloc_map_lock(mm, pmd, addr, &ptl);
+ if (unlikely(!ptep))
+ return false;
+
--- /dev/null
+From 0d5370d1d85251e5893ab7c90a429464de2e140b Mon Sep 17 00:00:00 2001
+From: Ethan Zhao <ethan.zhao@oracle.com>
+Date: Mon, 27 Feb 2017 17:08:44 +0900
+Subject: PCI: Prevent VPD access for QLogic ISP2722
+
+From: Ethan Zhao <ethan.zhao@oracle.com>
+
+commit 0d5370d1d85251e5893ab7c90a429464de2e140b upstream.
+
+QLogic ISP2722-based 16/32Gb Fibre Channel to PCIe Adapter has the VPD
+access issue too, while read the common pci-sysfs access interface shown as
+
+ /sys/devices/pci0000:00/0000:00:03.2/0000:0b:00.0/vpd
+
+with simple 'cat' could cause system hang and panic:
+
+ Kernel panic - not syncing: An NMI occurred. Depending on your system the reason for the NMI is logged in any one of the following resources:
+ 1. Integrated Management Log (IML)
+ 2. OA Syslog
+ 3. OA Forward Progress Log
+ 4. iLO Event Log
+ CPU: 0 PID: 15070 Comm: udevadm Not tainted 4.1.12
+ Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 12/27/2015
+ 0000000000000086 000000007f0cdf51 ffff880c4fa05d58 ffffffff817193de
+ ffffffffa00b42d8 0000000000000075 ffff880c4fa05dd8 ffffffff81714072
+ 0000000000000008 ffff880c4fa05de8 ffff880c4fa05d88 000000007f0cdf51
+ Call Trace:
+ <NMI> [<ffffffff817193de>] dump_stack+0x63/0x81
+ [<ffffffff81714072>] panic+0xd0/0x20e
+ [<ffffffffa00b390d>] hpwdt_pretimeout+0xdd/0xe0 [hpwdt]
+ [<ffffffff81021fc9>] ? sched_clock+0x9/0x10
+ [<ffffffff8101c101>] nmi_handle+0x91/0x170
+ [<ffffffff8101c10c>] ? nmi_handle+0x9c/0x170
+ [<ffffffff8101c5fe>] io_check_error+0x1e/0xa0
+ [<ffffffff8101c719>] default_do_nmi+0x99/0x140
+ [<ffffffff8101c8b4>] do_nmi+0xf4/0x170
+ [<ffffffff817232c5>] end_repeat_nmi+0x1a/0x1e
+ [<ffffffff815d724b>] ? pci_conf1_read+0xeb/0x120
+ [<ffffffff815d724b>] ? pci_conf1_read+0xeb/0x120
+ [<ffffffff815d724b>] ? pci_conf1_read+0xeb/0x120
+ <<EOE>> [<ffffffff815db4b3>] raw_pci_read+0x23/0x40
+ [<ffffffff815db4fc>] pci_read+0x2c/0x30
+ [<ffffffff8136f612>] pci_user_read_config_word+0x72/0x110
+ [<ffffffff8136f746>] pci_vpd_pci22_wait+0x96/0x130
+ [<ffffffff8136ff9b>] pci_vpd_pci22_read+0xdb/0x1a0
+ [<ffffffff8136ea30>] pci_read_vpd+0x20/0x30
+ [<ffffffff8137d590>] read_vpd_attr+0x30/0x40
+ [<ffffffff8128e037>] sysfs_kf_bin_read+0x47/0x70
+ [<ffffffff8128d24e>] kernfs_fop_read+0xae/0x180
+ [<ffffffff8120dd97>] __vfs_read+0x37/0x100
+ [<ffffffff812ba7e4>] ? security_file_permission+0x84/0xa0
+ [<ffffffff8120e366>] ? rw_verify_area+0x56/0xe0
+ [<ffffffff8120e476>] vfs_read+0x86/0x140
+ [<ffffffff8120f3f5>] SyS_read+0x55/0xd0
+ [<ffffffff81720f2e>] system_call_fastpath+0x12/0x71
+ Shutting down cpus with NMI
+ Kernel Offset: disabled
+ drm_kms_helper: panic occurred, switching back to text console
+
+So blacklist the access to its VPD.
+
+Signed-off-by: Ethan Zhao <ethan.zhao@oracle.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -2173,6 +2173,7 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LS
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LSI_LOGIC, 0x005f, quirk_blacklist_vpd);
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATTANSIC, PCI_ANY_ID,
+ quirk_blacklist_vpd);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_QLOGIC, 0x2261, quirk_blacklist_vpd);
+
+ /*
+ * For Broadcom 5706, 5708, 5709 rev. A nics, any read beyond the
--- /dev/null
+From 3fb66a70a4ae886445743354e4b60e54058bb3ff Mon Sep 17 00:00:00 2001
+From: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+Date: Thu, 16 Feb 2017 09:11:29 -0600
+Subject: powerpc/booke: Fix boot crash due to null hugepd
+
+From: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+
+commit 3fb66a70a4ae886445743354e4b60e54058bb3ff upstream.
+
+On 32-bit book-e machines, hugepd_ok() no longer takes into account null
+hugepd values, causing this crash at boot:
+
+ Unable to handle kernel paging request for data at address 0x80000000
+ ...
+ NIP [c0018378] follow_huge_addr+0x38/0xf0
+ LR [c001836c] follow_huge_addr+0x2c/0xf0
+ Call Trace:
+ follow_huge_addr+0x2c/0xf0 (unreliable)
+ follow_page_mask+0x40/0x3e0
+ __get_user_pages+0xc8/0x450
+ get_user_pages_remote+0x8c/0x250
+ copy_strings+0x110/0x390
+ copy_strings_kernel+0x2c/0x50
+ do_execveat_common+0x478/0x630
+ do_execve+0x2c/0x40
+ try_to_run_init_process+0x18/0x60
+ kernel_init+0xbc/0x110
+ ret_from_kernel_thread+0x5c/0x64
+
+This impacts all nxp (ex-freescale) 32-bit booke platforms.
+
+This was caused by the change of hugepd_t.pd from signed to unsigned,
+and the update to the nohash version of hugepd_ok(). Previously
+hugepd_ok() could exclude all non-huge and NULL pgds using > 0, whereas
+now we need to explicitly check that the value is not zero and also that
+PD_HUGE is *clear*.
+
+This isn't protected by the pgd_none() check in __find_linux_pte_or_hugepte()
+because on 32-bit we use pgtable-nopud.h, which causes the pgd_none()
+check to be always false.
+
+Fixes: 20717e1ff526 ("powerpc/mm: Fix little-endian 4K hugetlb")
+Reported-by: Madalin-Cristian Bucur <madalin.bucur@nxp.com>
+Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+[mpe: Flesh out change log details.]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/nohash/pgtable.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/include/asm/nohash/pgtable.h
++++ b/arch/powerpc/include/asm/nohash/pgtable.h
+@@ -230,7 +230,7 @@ static inline int hugepd_ok(hugepd_t hpd
+ return ((hpd_val(hpd) & 0x4) != 0);
+ #else
+ /* We clear the top bit to indicate hugepd */
+- return ((hpd_val(hpd) & PD_HUGE) == 0);
++ return (hpd_val(hpd) && (hpd_val(hpd) & PD_HUGE) == 0);
+ #endif
+ }
+
--- /dev/null
+From e148bd17f48bd17fca2f4f089ec879fa6e47e34c Mon Sep 17 00:00:00 2001
+From: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+Date: Tue, 14 Feb 2017 14:46:42 +0530
+Subject: powerpc: Emulation support for load/store instructions on LE
+
+From: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+
+commit e148bd17f48bd17fca2f4f089ec879fa6e47e34c upstream.
+
+emulate_step() uses a number of underlying kernel functions that were
+initially not enabled for LE. This has been rectified since. So, fix
+emulate_step() for LE for the corresponding instructions.
+
+Reported-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/lib/sstep.c | 20 --------------------
+ 1 file changed, 20 deletions(-)
+
+--- a/arch/powerpc/lib/sstep.c
++++ b/arch/powerpc/lib/sstep.c
+@@ -1799,8 +1799,6 @@ int __kprobes emulate_step(struct pt_reg
+ goto instr_done;
+
+ case LARX:
+- if (regs->msr & MSR_LE)
+- return 0;
+ if (op.ea & (size - 1))
+ break; /* can't handle misaligned */
+ err = -EFAULT;
+@@ -1824,8 +1822,6 @@ int __kprobes emulate_step(struct pt_reg
+ goto ldst_done;
+
+ case STCX:
+- if (regs->msr & MSR_LE)
+- return 0;
+ if (op.ea & (size - 1))
+ break; /* can't handle misaligned */
+ err = -EFAULT;
+@@ -1851,8 +1847,6 @@ int __kprobes emulate_step(struct pt_reg
+ goto ldst_done;
+
+ case LOAD:
+- if (regs->msr & MSR_LE)
+- return 0;
+ err = read_mem(®s->gpr[op.reg], op.ea, size, regs);
+ if (!err) {
+ if (op.type & SIGNEXT)
+@@ -1864,8 +1858,6 @@ int __kprobes emulate_step(struct pt_reg
+
+ #ifdef CONFIG_PPC_FPU
+ case LOAD_FP:
+- if (regs->msr & MSR_LE)
+- return 0;
+ if (size == 4)
+ err = do_fp_load(op.reg, do_lfs, op.ea, size, regs);
+ else
+@@ -1874,15 +1866,11 @@ int __kprobes emulate_step(struct pt_reg
+ #endif
+ #ifdef CONFIG_ALTIVEC
+ case LOAD_VMX:
+- if (regs->msr & MSR_LE)
+- return 0;
+ err = do_vec_load(op.reg, do_lvx, op.ea & ~0xfUL, regs);
+ goto ldst_done;
+ #endif
+ #ifdef CONFIG_VSX
+ case LOAD_VSX:
+- if (regs->msr & MSR_LE)
+- return 0;
+ err = do_vsx_load(op.reg, do_lxvd2x, op.ea, regs);
+ goto ldst_done;
+ #endif
+@@ -1905,8 +1893,6 @@ int __kprobes emulate_step(struct pt_reg
+ goto instr_done;
+
+ case STORE:
+- if (regs->msr & MSR_LE)
+- return 0;
+ if ((op.type & UPDATE) && size == sizeof(long) &&
+ op.reg == 1 && op.update_reg == 1 &&
+ !(regs->msr & MSR_PR) &&
+@@ -1919,8 +1905,6 @@ int __kprobes emulate_step(struct pt_reg
+
+ #ifdef CONFIG_PPC_FPU
+ case STORE_FP:
+- if (regs->msr & MSR_LE)
+- return 0;
+ if (size == 4)
+ err = do_fp_store(op.reg, do_stfs, op.ea, size, regs);
+ else
+@@ -1929,15 +1913,11 @@ int __kprobes emulate_step(struct pt_reg
+ #endif
+ #ifdef CONFIG_ALTIVEC
+ case STORE_VMX:
+- if (regs->msr & MSR_LE)
+- return 0;
+ err = do_vec_store(op.reg, do_stvx, op.ea & ~0xfUL, regs);
+ goto ldst_done;
+ #endif
+ #ifdef CONFIG_VSX
+ case STORE_VSX:
+- if (regs->msr & MSR_LE)
+- return 0;
+ err = do_vsx_store(op.reg, do_stxvd2x, op.ea, regs);
+ goto ldst_done;
+ #endif
--- /dev/null
+From a69e2fb70350a66f91175cd2625f1e8215c5b6e9 Mon Sep 17 00:00:00 2001
+From: Balbir Singh <bsingharora@gmail.com>
+Date: Fri, 3 Mar 2017 11:58:44 +1100
+Subject: powerpc/xics: Work around limitations of OPAL XICS priority handling
+
+From: Balbir Singh <bsingharora@gmail.com>
+
+commit a69e2fb70350a66f91175cd2625f1e8215c5b6e9 upstream.
+
+The CPPR (Current Processor Priority Register) of a XICS interrupt
+presentation controller contains a value N, such that only interrupts
+with a priority "more favoured" than N will be received by the CPU,
+where "more favoured" means "less than". So if the CPPR has the value 5
+then only interrupts with a priority of 0-4 inclusive will be received.
+
+In theory the CPPR can support a value of 0 to 255 inclusive.
+In practice Linux only uses values of 0, 4, 5 and 0xff. Setting the CPPR
+to 0 rejects all interrupts, setting it to 0xff allows all interrupts.
+The values 4 and 5 are used to differentiate IPIs from external
+interrupts. Setting the CPPR to 5 allows IPIs to be received but not
+external interrupts.
+
+The CPPR emulation in the OPAL XICS implementation only directly
+supports priorities 0 and 0xff. All other priorities are considered
+equivalent, and mapped to a single priority value internally. This means
+when using icp-opal we can not allow IPIs but not externals.
+
+This breaks Linux's use of priority values when a CPU is hot unplugged.
+After migrating IRQs away from the CPU that is being offlined, we set
+the priority to 5, meaning we still want the offline CPU to receive
+IPIs. But the effect of the OPAL XICS emulation's use of a single
+priority value is that all interrupts are rejected by the CPU. With the
+CPU offline, and not receiving IPIs, we may not be able to wake it up to
+bring it back online.
+
+The first part of the fix is in icp_opal_set_cpu_priority(). CPPR values
+of 0 to 4 inclusive will correctly cause all interrupts to be rejected,
+so we pass those CPPR values through to OPAL. However if we are called
+with a CPPR of 5 or greater, the caller is expecting to be able to allow
+IPIs but not external interrupts. We know this doesn't work, so instead
+of rejecting all interrupts we choose the opposite which is to allow all
+interrupts. This is still not correct behaviour, but we know for the
+only existing caller (xics_migrate_irqs_away()), that it is the better
+option.
+
+The other part of the fix is in xics_migrate_irqs_away(). Instead of
+setting priority (CPPR) to 0, and then back to 5 before migrating IRQs,
+we migrate the IRQs before setting the priority back to 5. This should
+have no effect on an ICP backend with a working set_priority(), and on
+icp-opal it means we will keep all interrupts blocked until after we've
+finished doing the IRQ migration. Additionally we wait for 5ms after
+doing the migration to make sure there are no IRQs in flight.
+
+Fixes: d74361881f0d ("powerpc/xics: Add ICP OPAL backend")
+Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
+Reported-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+Tested-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+Signed-off-by: Balbir Singh <bsingharora@gmail.com>
+[mpe: Rewrote comments and change log, change delay to 5ms]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/sysdev/xics/icp-opal.c | 10 ++++++++++
+ arch/powerpc/sysdev/xics/xics-common.c | 17 ++++++++++++++---
+ 2 files changed, 24 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/sysdev/xics/icp-opal.c
++++ b/arch/powerpc/sysdev/xics/icp-opal.c
+@@ -91,6 +91,16 @@ static unsigned int icp_opal_get_irq(voi
+
+ static void icp_opal_set_cpu_priority(unsigned char cppr)
+ {
++ /*
++ * Here be dragons. The caller has asked to allow only IPI's and not
++ * external interrupts. But OPAL XIVE doesn't support that. So instead
++ * of allowing no interrupts allow all. That's still not right, but
++ * currently the only caller who does this is xics_migrate_irqs_away()
++ * and it works in that case.
++ */
++ if (cppr >= DEFAULT_PRIORITY)
++ cppr = LOWEST_PRIORITY;
++
+ xics_set_base_cppr(cppr);
+ opal_int_set_cppr(cppr);
+ iosync();
+--- a/arch/powerpc/sysdev/xics/xics-common.c
++++ b/arch/powerpc/sysdev/xics/xics-common.c
+@@ -20,6 +20,7 @@
+ #include <linux/of.h>
+ #include <linux/slab.h>
+ #include <linux/spinlock.h>
++#include <linux/delay.h>
+
+ #include <asm/prom.h>
+ #include <asm/io.h>
+@@ -198,9 +199,6 @@ void xics_migrate_irqs_away(void)
+ /* Remove ourselves from the global interrupt queue */
+ xics_set_cpu_giq(xics_default_distrib_server, 0);
+
+- /* Allow IPIs again... */
+- icp_ops->set_priority(DEFAULT_PRIORITY);
+-
+ for_each_irq_desc(virq, desc) {
+ struct irq_chip *chip;
+ long server;
+@@ -255,6 +253,19 @@ void xics_migrate_irqs_away(void)
+ unlock:
+ raw_spin_unlock_irqrestore(&desc->lock, flags);
+ }
++
++ /* Allow "sufficient" time to drop any inflight IRQ's */
++ mdelay(5);
++
++ /*
++ * Allow IPIs again. This is done at the very end, after migrating all
++ * interrupts, the expectation is that we'll only get woken up by an IPI
++ * interrupt beyond this point, but leave externals masked just to be
++ * safe. If we're using icp-opal this may actually allow all
++ * interrupts anyway, but that should be OK.
++ */
++ icp_ops->set_priority(DEFAULT_PRIORITY);
++
+ }
+ #endif /* CONFIG_HOTPLUG_CPU */
+
--- /dev/null
+From eb38d913c27f32f4df173791051fecf6aca34173 Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Thu, 2 Mar 2017 10:44:58 +0200
+Subject: Revert "usb: gadget: uvc: Add missing call for additional setup data"
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit eb38d913c27f32f4df173791051fecf6aca34173 upstream.
+
+This reverts commit 4fbac5206afd01b717d4bdc58793d471f3391b4b.
+
+This commit breaks g_webcam when used with uvc-gadget [1].
+
+The user space application (e.g. uvc-gadget) is responsible for
+sending response to UVC class specific requests on control endpoint
+in uvc_send_response() in uvc_v4l2.c.
+
+The bad commit was causing a duplicate response to be sent with
+incorrect response data thus causing UVC probe to fail at the host
+and broken control transfer endpoint at the gadget.
+
+[1] - git://git.ideasonboard.org/uvc-gadget.git
+
+Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_uvc.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_uvc.c
++++ b/drivers/usb/gadget/function/f_uvc.c
+@@ -258,13 +258,6 @@ uvc_function_setup(struct usb_function *
+ memcpy(&uvc_event->req, ctrl, sizeof(uvc_event->req));
+ v4l2_event_queue(&uvc->vdev, &v4l2_event);
+
+- /* Pass additional setup data to userspace */
+- if (uvc->event_setup_out && uvc->event_length) {
+- uvc->control_req->length = uvc->event_length;
+- return usb_ep_queue(uvc->func.config->cdev->gadget->ep0,
+- uvc->control_req, GFP_ATOMIC);
+- }
+-
+ return 0;
+ }
+
--- /dev/null
+From f98c7bce570bdbe344b74ff5daa7dfeef3f22929 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Sat, 25 Feb 2017 18:36:44 +0200
+Subject: serial: samsung: Continue to work if DMA request fails
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit f98c7bce570bdbe344b74ff5daa7dfeef3f22929 upstream.
+
+If DMA is not available (even when configured in DeviceTree), the driver
+will fail the startup procedure thus making serial console not
+available.
+
+For example this causes boot failure on QEMU ARMv7 (Exynos4210, SMDKC210):
+ [ Â Â 1.302575] OF: amba_device_add() failed (-19) for /amba/pdma@12680000
+ ...
+ [ Â 11.435732] samsung-uart 13800000.serial: DMA request failed
+ [ Â 72.963893] samsung-uart 13800000.serial: DMA request failed
+ [ Â 73.143361] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000000
+
+DMA is not necessary for serial to work, so continue with UART startup
+after emitting a warning.
+
+Fixes: 62c37eedb74c ("serial: samsung: add dma reqest/release functions")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/samsung.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/samsung.c
++++ b/drivers/tty/serial/samsung.c
+@@ -1036,8 +1036,10 @@ static int s3c64xx_serial_startup(struct
+ if (ourport->dma) {
+ ret = s3c24xx_serial_request_dma(ourport);
+ if (ret < 0) {
+- dev_warn(port->dev, "DMA request failed\n");
+- return ret;
++ dev_warn(port->dev,
++ "DMA request failed, DMA will not be used\n");
++ devm_kfree(port->dev, ourport->dma);
++ ourport->dma = NULL;
+ }
+ }
+
mips-ralink-cosmetic-change-to-prom_init.patch
mips-ralink-remove-unused-timer-functions.patch
mips-ralink-remove-unused-rt-_wdt_reset-functions.patch
+i2c-bcm2835-avoid-possible-null-ptr-dereference.patch
+tracing-add-undef-to-fix-compile-error.patch
+ucount-remove-the-atomicity-from-ucount-count.patch
+efi-arm-fix-boot-crash-with-config_cpumask_offstack-y.patch
+dw2102-don-t-do-dma-on-stack.patch
+i2c-add-missing-of_node_put-in-i2c_mux_del_adapters.patch
+powerpc-emulation-support-for-load-store-instructions-on-le.patch
+powerpc-booke-fix-boot-crash-due-to-null-hugepd.patch
+powerpc-xics-work-around-limitations-of-opal-xics-priority-handling.patch
+pci-prevent-vpd-access-for-qlogic-isp2722.patch
+usb-gadget-dummy_hcd-clear-usb_gadget-region-before-registration.patch
+usb-dwc3-gadget-make-set-endpoint-configuration-macros-safe.patch
+usb-dwc3-omap-fix-missing-break-in-dwc3_omap_set_mailbox.patch
+usb-ohci-at91-do-not-drop-unhandled-usb-suspend-control-requests.patch
+usb-gadget-function-f_fs-pass-companion-descriptor-along.patch
+revert-usb-gadget-uvc-add-missing-call-for-additional-setup-data.patch
+usb-host-xhci-dbg-hciversion-should-be-a-binary-number.patch
+usb-host-xhci-plat-fix-timeout-on-removal-of-hot-pluggable-xhci-controllers.patch
+usb-serial-safe_serial-fix-information-leak-in-completion-handler.patch
+usb-serial-omninet-fix-reference-leaks-at-open.patch
+usb-iowarrior-fix-null-deref-at-probe.patch
+usb-iowarrior-fix-null-deref-in-write.patch
+usb-serial-io_ti-fix-null-deref-in-interrupt-callback.patch
+usb-serial-io_ti-fix-information-leak-in-completion-handler.patch
+serial-samsung-continue-to-work-if-dma-request-fails.patch
+kvm-s390-fix-guest-migration-for-huge-guests-resulting-in-panic.patch
+kvm-arm-arm64-let-vcpu-thread-modify-its-own-active-state.patch
+drm-i915-gvt-fix-superfluous-newline-in-gvt_display_ready-env-var.patch
--- /dev/null
+From bf7165cfa23695c51998231c4efa080fe1d3548d Mon Sep 17 00:00:00 2001
+From: Rik van Riel <riel@redhat.com>
+Date: Wed, 28 Sep 2016 22:55:54 -0400
+Subject: tracing: Add #undef to fix compile error
+
+From: Rik van Riel <riel@redhat.com>
+
+commit bf7165cfa23695c51998231c4efa080fe1d3548d upstream.
+
+There are several trace include files that define TRACE_INCLUDE_FILE.
+
+Include several of them in the same .c file (as I currently have in
+some code I am working on), and the compile will blow up with a
+"warning: "TRACE_INCLUDE_FILE" redefined #define TRACE_INCLUDE_FILE syscalls"
+
+Every other include file in include/trace/events/ avoids that issue
+by having a #undef TRACE_INCLUDE_FILE before the #define; syscalls.h
+should have one, too.
+
+Link: http://lkml.kernel.org/r/20160928225554.13bd7ac6@annuminas.surriel.com
+
+Fixes: b8007ef74222 ("tracing: Separate raw syscall from syscall tracer")
+Signed-off-by: Rik van Riel <riel@redhat.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/trace/events/syscalls.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/trace/events/syscalls.h
++++ b/include/trace/events/syscalls.h
+@@ -1,5 +1,6 @@
+ #undef TRACE_SYSTEM
+ #define TRACE_SYSTEM raw_syscalls
++#undef TRACE_INCLUDE_FILE
+ #define TRACE_INCLUDE_FILE syscalls
+
+ #if !defined(_TRACE_EVENTS_SYSCALLS_H) || defined(TRACE_HEADER_MULTI_READ)
--- /dev/null
+From 040757f738e13caaa9c5078bca79aa97e11dde88 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Sun, 5 Mar 2017 15:03:22 -0600
+Subject: ucount: Remove the atomicity from ucount->count
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit 040757f738e13caaa9c5078bca79aa97e11dde88 upstream.
+
+Always increment/decrement ucount->count under the ucounts_lock. The
+increments are there already and moving the decrements there means the
+locking logic of the code is simpler. This simplification in the
+locking logic fixes a race between put_ucounts and get_ucounts that
+could result in a use-after-free because the count could go zero then
+be found by get_ucounts and then be freed by put_ucounts.
+
+A bug presumably this one was found by a combination of syzkaller and
+KASAN. JongWhan Kim reported the syzkaller failure and Dmitry Vyukov
+spotted the race in the code.
+
+Fixes: f6b2db1a3e8d ("userns: Make the count of user namespaces per user")
+Reported-by: JongHwan Kim <zzoru007@gmail.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Reviewed-by: Andrei Vagin <avagin@gmail.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/user_namespace.h | 2 +-
+ kernel/ucount.c | 18 +++++++++++-------
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+--- a/include/linux/user_namespace.h
++++ b/include/linux/user_namespace.h
+@@ -65,7 +65,7 @@ struct ucounts {
+ struct hlist_node node;
+ struct user_namespace *ns;
+ kuid_t uid;
+- atomic_t count;
++ int count;
+ atomic_t ucount[UCOUNT_COUNTS];
+ };
+
+--- a/kernel/ucount.c
++++ b/kernel/ucount.c
+@@ -139,7 +139,7 @@ static struct ucounts *get_ucounts(struc
+
+ new->ns = ns;
+ new->uid = uid;
+- atomic_set(&new->count, 0);
++ new->count = 0;
+
+ spin_lock_irq(&ucounts_lock);
+ ucounts = find_ucounts(ns, uid, hashent);
+@@ -150,8 +150,10 @@ static struct ucounts *get_ucounts(struc
+ ucounts = new;
+ }
+ }
+- if (!atomic_add_unless(&ucounts->count, 1, INT_MAX))
++ if (ucounts->count == INT_MAX)
+ ucounts = NULL;
++ else
++ ucounts->count += 1;
+ spin_unlock_irq(&ucounts_lock);
+ return ucounts;
+ }
+@@ -160,13 +162,15 @@ static void put_ucounts(struct ucounts *
+ {
+ unsigned long flags;
+
+- if (atomic_dec_and_test(&ucounts->count)) {
+- spin_lock_irqsave(&ucounts_lock, flags);
++ spin_lock_irqsave(&ucounts_lock, flags);
++ ucounts->count -= 1;
++ if (!ucounts->count)
+ hlist_del_init(&ucounts->node);
+- spin_unlock_irqrestore(&ucounts_lock, flags);
++ else
++ ucounts = NULL;
++ spin_unlock_irqrestore(&ucounts_lock, flags);
+
+- kfree(ucounts);
+- }
++ kfree(ucounts);
+ }
+
+ static inline bool atomic_inc_below(atomic_t *v, int u)
--- /dev/null
+From 7369090a9fb57c3fc705ce355d2e4523a5a24716 Mon Sep 17 00:00:00 2001
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+Date: Tue, 31 Jan 2017 13:24:54 +0200
+Subject: usb: dwc3: gadget: make Set Endpoint Configuration macros safe
+
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+
+commit 7369090a9fb57c3fc705ce355d2e4523a5a24716 upstream.
+
+Some gadget drivers are bad, bad boys. We notice
+that ADB was passing bad Burst Size which caused top
+bits of param0 to be overwritten which confused DWC3
+when running this command.
+
+In order to avoid future issues, we're going to make
+sure values passed by macros are always safe for the
+controller. Note that ADB still needs a fix to *not*
+pass bad values.
+
+Reported-by: Mohamed Abbas <mohamed.abbas@intel.com>
+Sugested-by: Adam Andruszak <adam.andruszak@intel.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.h | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.h
++++ b/drivers/usb/dwc3/gadget.h
+@@ -28,23 +28,23 @@ struct dwc3;
+ #define gadget_to_dwc(g) (container_of(g, struct dwc3, gadget))
+
+ /* DEPCFG parameter 1 */
+-#define DWC3_DEPCFG_INT_NUM(n) ((n) << 0)
++#define DWC3_DEPCFG_INT_NUM(n) (((n) & 0x1f) << 0)
+ #define DWC3_DEPCFG_XFER_COMPLETE_EN (1 << 8)
+ #define DWC3_DEPCFG_XFER_IN_PROGRESS_EN (1 << 9)
+ #define DWC3_DEPCFG_XFER_NOT_READY_EN (1 << 10)
+ #define DWC3_DEPCFG_FIFO_ERROR_EN (1 << 11)
+ #define DWC3_DEPCFG_STREAM_EVENT_EN (1 << 13)
+-#define DWC3_DEPCFG_BINTERVAL_M1(n) ((n) << 16)
++#define DWC3_DEPCFG_BINTERVAL_M1(n) (((n) & 0xff) << 16)
+ #define DWC3_DEPCFG_STREAM_CAPABLE (1 << 24)
+-#define DWC3_DEPCFG_EP_NUMBER(n) ((n) << 25)
++#define DWC3_DEPCFG_EP_NUMBER(n) (((n) & 0x1f) << 25)
+ #define DWC3_DEPCFG_BULK_BASED (1 << 30)
+ #define DWC3_DEPCFG_FIFO_BASED (1 << 31)
+
+ /* DEPCFG parameter 0 */
+-#define DWC3_DEPCFG_EP_TYPE(n) ((n) << 1)
+-#define DWC3_DEPCFG_MAX_PACKET_SIZE(n) ((n) << 3)
+-#define DWC3_DEPCFG_FIFO_NUMBER(n) ((n) << 17)
+-#define DWC3_DEPCFG_BURST_SIZE(n) ((n) << 22)
++#define DWC3_DEPCFG_EP_TYPE(n) (((n) & 0x3) << 1)
++#define DWC3_DEPCFG_MAX_PACKET_SIZE(n) (((n) & 0x7ff) << 3)
++#define DWC3_DEPCFG_FIFO_NUMBER(n) (((n) & 0x1f) << 17)
++#define DWC3_DEPCFG_BURST_SIZE(n) (((n) & 0xf) << 22)
+ #define DWC3_DEPCFG_DATA_SEQ_NUM(n) ((n) << 26)
+ /* This applies for core versions earlier than 1.94a */
+ #define DWC3_DEPCFG_IGN_SEQ_NUM (1 << 31)
--- /dev/null
+From 0913750f9fb6f26bcd00c8f9dd9a8d1b8d031246 Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Wed, 15 Feb 2017 13:38:22 +0200
+Subject: usb: dwc3-omap: Fix missing break in dwc3_omap_set_mailbox()
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit 0913750f9fb6f26bcd00c8f9dd9a8d1b8d031246 upstream.
+
+We need to break from all cases if we want to treat
+each one of them separately.
+
+Reported-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
+Fixes: d2728fb3e01f ("usb: dwc3: omap: Pass VBUS and ID events transparently")
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/dwc3-omap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/dwc3/dwc3-omap.c
++++ b/drivers/usb/dwc3/dwc3-omap.c
+@@ -250,6 +250,7 @@ static void dwc3_omap_set_mailbox(struct
+ val = dwc3_omap_read_utmi_ctrl(omap);
+ val |= USBOTGSS_UTMI_OTG_CTRL_IDDIG;
+ dwc3_omap_write_utmi_ctrl(omap, val);
++ break;
+
+ case OMAP_DWC3_VBUS_OFF:
+ val = dwc3_omap_read_utmi_ctrl(omap);
--- /dev/null
+From 5bbc852676ae08e818241cf66a3ffe4be44225c4 Mon Sep 17 00:00:00 2001
+From: Peter Chen <peter.chen@nxp.com>
+Date: Tue, 28 Feb 2017 14:25:45 +0800
+Subject: usb: gadget: dummy_hcd: clear usb_gadget region before registration
+
+From: Peter Chen <peter.chen@nxp.com>
+
+commit 5bbc852676ae08e818241cf66a3ffe4be44225c4 upstream.
+
+When the user does device unbind and rebind test, the kernel will
+show below dump due to usb_gadget memory region is dirty after unbind.
+Clear usb_gadget region for every new probe.
+
+root@imx6qdlsolo:/sys/bus/platform/drivers/dummy_udc# echo dummy_udc.0 > bind
+[ 102.523312] kobject (eddd78b0): tried to init an initialized object, something is seriously wrong.
+[ 102.532447] CPU: 0 PID: 734 Comm: sh Not tainted 4.10.0-rc7-00872-g1b2b8e9 #1298
+[ 102.539866] Hardware name: Freescale i.MX6 SoloX (Device Tree)
+[ 102.545717] Backtrace:
+[ 102.548225] [<c010d090>] (dump_backtrace) from [<c010d338>] (show_stack+0x18/0x1c)
+[ 102.555822] r7:ede34000 r6:60010013 r5:00000000 r4:c0f29418
+[ 102.561512] [<c010d320>] (show_stack) from [<c040c2a4>] (dump_stack+0xb4/0xe8)
+[ 102.568764] [<c040c1f0>] (dump_stack) from [<c040e6d4>] (kobject_init+0x80/0x9c)
+[ 102.576187] r10:0000001f r9:eddd7000 r8:eeaf8c10 r7:eddd78a8 r6:c177891c r5:c0f3b060
+[ 102.584036] r4:eddd78b0 r3:00000000
+[ 102.587641] [<c040e654>] (kobject_init) from [<c05359a4>] (device_initialize+0x28/0xf8)
+[ 102.595665] r5:eebc4800 r4:eddd78a8
+[ 102.599268] [<c053597c>] (device_initialize) from [<c05382ac>] (device_register+0x14/0x20)
+[ 102.607556] r7:eddd78a8 r6:00000000 r5:eebc4800 r4:eddd78a8
+[ 102.613256] [<c0538298>] (device_register) from [<c0668ef4>] (usb_add_gadget_udc_release+0x8c/0x1ec)
+[ 102.622410] r5:eebc4800 r4:eddd7860
+[ 102.626015] [<c0668e68>] (usb_add_gadget_udc_release) from [<c0669068>] (usb_add_gadget_udc+0x14/0x18)
+[ 102.635351] r10:0000001f r9:eddd7000 r8:eddd788c r7:bf003770 r6:eddd77f8 r5:eddd7818
+[ 102.643198] r4:eddd785c r3:eddd7b24
+[ 102.646834] [<c0669054>] (usb_add_gadget_udc) from [<bf003428>] (dummy_udc_probe+0x170/0x1c4 [dummy_hcd])
+[ 102.656458] [<bf0032b8>] (dummy_udc_probe [dummy_hcd]) from [<c053d114>] (platform_drv_probe+0x54/0xb8)
+[ 102.665881] r10:00000008 r9:c1778960 r8:bf004128 r7:fffffdfb r6:bf004128 r5:eeaf8c10
+[ 102.673727] r4:eeaf8c10
+[ 102.676293] [<c053d0c0>] (platform_drv_probe) from [<c053b160>] (driver_probe_device+0x264/0x474)
+[ 102.685186] r7:00000000 r6:00000000 r5:c1778960 r4:eeaf8c10
+[ 102.690876] [<c053aefc>] (driver_probe_device) from [<c05397c4>] (bind_store+0xb8/0x14c)
+[ 102.698994] r10:eeb3bb4c r9:ede34000 r8:0000000c r7:eeaf8c44 r6:bf004128 r5:c0f3b668
+[ 102.706840] r4:eeaf8c10
+[ 102.709402] [<c053970c>] (bind_store) from [<c0538ca8>] (drv_attr_store+0x28/0x34)
+[ 102.716998] r9:ede34000 r8:00000000 r7:ee3863c0 r6:ee3863c0 r5:c0538c80 r4:c053970c
+[ 102.724776] [<c0538c80>] (drv_attr_store) from [<c029c930>] (sysfs_kf_write+0x50/0x54)
+[ 102.732711] r5:c0538c80 r4:0000000c
+[ 102.736313] [<c029c8e0>] (sysfs_kf_write) from [<c029be84>] (kernfs_fop_write+0x100/0x214)
+[ 102.744599] r7:ee3863c0 r6:eeb3bb40 r5:00000000 r4:00000000
+[ 102.750287] [<c029bd84>] (kernfs_fop_write) from [<c0222dd8>] (__vfs_write+0x34/0x120)
+[ 102.758231] r10:00000000 r9:ede34000 r8:c0108bc4 r7:0000000c r6:ede35f80 r5:c029bd84
+[ 102.766077] r4:ee223780
+[ 102.768638] [<c0222da4>] (__vfs_write) from [<c0224678>] (vfs_write+0xa8/0x170)
+[ 102.775974] r9:ede34000 r8:c0108bc4 r7:ede35f80 r6:01861cb0 r5:ee223780 r4:0000000c
+[ 102.783743] [<c02245d0>] (vfs_write) from [<c0225498>] (SyS_write+0x4c/0xa8)
+[ 102.790818] r9:ede34000 r8:c0108bc4 r7:0000000c r6:01861cb0 r5:ee223780 r4:ee223780
+[ 102.798595] [<c022544c>] (SyS_write) from [<c0108a20>] (ret_fast_syscall+0x0/0x1c)
+[ 102.806188] r7:00000004 r6:b6e83d58 r5:01861cb0 r4:0000000c
+
+Fixes: 90fccb529d24 ("usb: gadget: Gadget directory cleanup - group UDC drivers")
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Tested-by: Xiaolong Ye <xiaolong.ye@intel.com>
+Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/dummy_hcd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/gadget/udc/dummy_hcd.c
++++ b/drivers/usb/gadget/udc/dummy_hcd.c
+@@ -1031,6 +1031,8 @@ static int dummy_udc_probe(struct platfo
+ int rc;
+
+ dum = *((void **)dev_get_platdata(&pdev->dev));
++ /* Clear usb_gadget region for new registration to udc-core */
++ memzero_explicit(&dum->gadget, sizeof(struct usb_gadget));
+ dum->gadget.name = gadget_name;
+ dum->gadget.ops = &dummy_ops;
+ dum->gadget.max_speed = USB_SPEED_SUPER;
--- /dev/null
+From 2bfa0719ac2a9b2f3c91345873d3cdebd0296ba9 Mon Sep 17 00:00:00 2001
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+Date: Tue, 31 Jan 2017 14:54:45 +0200
+Subject: usb: gadget: function: f_fs: pass companion descriptor along
+
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+
+commit 2bfa0719ac2a9b2f3c91345873d3cdebd0296ba9 upstream.
+
+If we're dealing with SuperSpeed endpoints, we need
+to make sure to pass along the companion descriptor
+and initialize fields needed by the Gadget
+API. Eventually, f_fs.c should be converted to use
+config_ep_by_speed() like all other functions,
+though.
+
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_fs.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -1833,11 +1833,14 @@ static int ffs_func_eps_enable(struct ff
+ spin_lock_irqsave(&func->ffs->eps_lock, flags);
+ while(count--) {
+ struct usb_endpoint_descriptor *ds;
++ struct usb_ss_ep_comp_descriptor *comp_desc = NULL;
++ int needs_comp_desc = false;
+ int desc_idx;
+
+- if (ffs->gadget->speed == USB_SPEED_SUPER)
++ if (ffs->gadget->speed == USB_SPEED_SUPER) {
+ desc_idx = 2;
+- else if (ffs->gadget->speed == USB_SPEED_HIGH)
++ needs_comp_desc = true;
++ } else if (ffs->gadget->speed == USB_SPEED_HIGH)
+ desc_idx = 1;
+ else
+ desc_idx = 0;
+@@ -1854,6 +1857,14 @@ static int ffs_func_eps_enable(struct ff
+
+ ep->ep->driver_data = ep;
+ ep->ep->desc = ds;
++
++ comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds +
++ USB_DT_ENDPOINT_SIZE);
++ ep->ep->maxburst = comp_desc->bMaxBurst + 1;
++
++ if (needs_comp_desc)
++ ep->ep->comp_desc = comp_desc;
++
+ ret = usb_ep_enable(ep->ep);
+ if (likely(!ret)) {
+ epfile->ep = ep;
--- /dev/null
+From f95e60a7dbecd2de816bb3ad517b3d4fbc20b507 Mon Sep 17 00:00:00 2001
+From: Peter Chen <peter.chen@nxp.com>
+Date: Thu, 9 Mar 2017 15:39:36 +0200
+Subject: usb: host: xhci-dbg: HCIVERSION should be a binary number
+
+From: Peter Chen <peter.chen@nxp.com>
+
+commit f95e60a7dbecd2de816bb3ad517b3d4fbc20b507 upstream.
+
+According to xHCI spec, HCIVERSION containing a BCD encoding
+of the xHCI specification revision number, 0100h corresponds
+to xHCI version 1.0. Change "100" as "0x100".
+
+Cc: Lu Baolu <baolu.lu@linux.intel.com>
+Fixes: 04abb6de2825 ("xhci: Read and parse new xhci 1.1 capability register")
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-dbg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-dbg.c
++++ b/drivers/usb/host/xhci-dbg.c
+@@ -111,7 +111,7 @@ static void xhci_print_cap_regs(struct x
+ xhci_dbg(xhci, "RTSOFF 0x%x:\n", temp & RTSOFF_MASK);
+
+ /* xhci 1.1 controllers have the HCCPARAMS2 register */
+- if (hci_version > 100) {
++ if (hci_version > 0x100) {
+ temp = readl(&xhci->cap_regs->hcc_params2);
+ xhci_dbg(xhci, "HCC PARAMS2 0x%x:\n", (unsigned int) temp);
+ xhci_dbg(xhci, " HC %s Force save context capability",
--- /dev/null
+From dcc7620cad5ad1326a78f4031a7bf4f0e5b42984 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Thu, 9 Mar 2017 15:39:37 +0200
+Subject: usb: host: xhci-plat: Fix timeout on removal of hot pluggable xhci controllers
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit dcc7620cad5ad1326a78f4031a7bf4f0e5b42984 upstream.
+
+Upstream commit 98d74f9ceaef ("xhci: fix 10 second timeout on removal of
+PCI hotpluggable xhci controllers") fixes a problem with hot pluggable PCI
+xhci controllers which can result in excessive timeouts, to the point where
+the system reports a deadlock.
+
+The same problem is seen with hot pluggable xhci controllers using the
+xhci-plat driver, such as the driver used for Type-C ports on rk3399.
+Similar to hot-pluggable PCI controllers, the driver for this chip
+removes the xhci controller from the system when the Type-C cable is
+disconnected.
+
+The solution for PCI devices works just as well for non-PCI devices
+and avoids the problem.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-plat.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -283,6 +283,8 @@ static int xhci_plat_remove(struct platf
+ struct xhci_hcd *xhci = hcd_to_xhci(hcd);
+ struct clk *clk = xhci->clk;
+
++ xhci->xhc_state |= XHCI_STATE_REMOVING;
++
+ usb_remove_hcd(xhci->shared_hcd);
+ usb_phy_shutdown(hcd->usb_phy);
+
--- /dev/null
+From b7321e81fc369abe353cf094d4f0dc2fe11ab95f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 7 Mar 2017 16:11:03 +0100
+Subject: USB: iowarrior: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b7321e81fc369abe353cf094d4f0dc2fe11ab95f upstream.
+
+Make sure to check for the required interrupt-in endpoint to avoid
+dereferencing a NULL-pointer should a malicious device lack such an
+endpoint.
+
+Note that a fairly recent change purported to fix this issue, but added
+an insufficient test on the number of endpoints only, a test which can
+now be removed.
+
+Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors")
+Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/iowarrior.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -781,12 +781,6 @@ static int iowarrior_probe(struct usb_in
+ iface_desc = interface->cur_altsetting;
+ dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
+
+- if (iface_desc->desc.bNumEndpoints < 1) {
+- dev_err(&interface->dev, "Invalid number of endpoints\n");
+- retval = -EINVAL;
+- goto error;
+- }
+-
+ /* set up the endpoint information */
+ for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
+ endpoint = &iface_desc->endpoint[i].desc;
+@@ -797,6 +791,13 @@ static int iowarrior_probe(struct usb_in
+ /* this one will match for the IOWarrior56 only */
+ dev->int_out_endpoint = endpoint;
+ }
++
++ if (!dev->int_in_endpoint) {
++ dev_err(&interface->dev, "no interrupt-in endpoint found\n");
++ retval = -ENODEV;
++ goto error;
++ }
++
+ /* we have to check the report_size often, so remember it in the endianness suitable for our machine */
+ dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint);
+ if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) &&
--- /dev/null
+From de46e56653de7b3b54baa625bd582635008b8d05 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 7 Mar 2017 16:11:04 +0100
+Subject: USB: iowarrior: fix NULL-deref in write
+
+From: Johan Hovold <johan@kernel.org>
+
+commit de46e56653de7b3b54baa625bd582635008b8d05 upstream.
+
+Make sure to verify that we have the required interrupt-out endpoint for
+IOWarrior56 devices to avoid dereferencing a NULL-pointer in write
+should a malicious device lack such an endpoint.
+
+Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/iowarrior.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -798,6 +798,14 @@ static int iowarrior_probe(struct usb_in
+ goto error;
+ }
+
++ if (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56) {
++ if (!dev->int_out_endpoint) {
++ dev_err(&interface->dev, "no interrupt-out endpoint found\n");
++ retval = -ENODEV;
++ goto error;
++ }
++ }
++
+ /* we have to check the report_size often, so remember it in the endianness suitable for our machine */
+ dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint);
+ if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) &&
--- /dev/null
+From 85550f9148a852ed363a386577ad31b97b95dfb8 Mon Sep 17 00:00:00 2001
+From: Jelle Martijn Kok <jmkok@youcom.nl>
+Date: Tue, 21 Feb 2017 12:48:18 +0100
+Subject: usb: ohci-at91: Do not drop unhandled USB suspend control requests
+
+From: Jelle Martijn Kok <jmkok@youcom.nl>
+
+commit 85550f9148a852ed363a386577ad31b97b95dfb8 upstream.
+
+In patch 2e2aa1bc7eff90ecm, USB suspend and wakeup control requests are
+passed to SFR_OHCIICR register. If a processor does not have such a
+register, this hub control request will be dropped.
+
+If no such a SFR register is available, all USB suspend control requests
+will now be processed using ohci_hub_control()
+(like before patch 2e2aa1bc7eff90ecm.)
+
+Tested on an Atmel AT91SAM9G20 with an on-board TI TUSB2046B hub chip
+If the last USB device is unplugged from the USB hub, the hub goes into
+sleep and will not wakeup when an USB devices is inserted.
+
+Fixes: 2e2aa1bc7eff90ec ("usb: ohci-at91: Forcibly suspend ports while USB suspend")
+Signed-off-by: Jelle Martijn Kok <jmkok@youcom.nl>
+Tested-by: Wenyou Yang <wenyou.yang@atmel.com>
+Cc: Wenyou Yang <wenyou.yang@atmel.com>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Reviewed-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/ohci-at91.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/host/ohci-at91.c
++++ b/drivers/usb/host/ohci-at91.c
+@@ -350,7 +350,7 @@ static int ohci_at91_hub_control(struct
+
+ case USB_PORT_FEAT_SUSPEND:
+ dev_dbg(hcd->self.controller, "SetPortFeat: SUSPEND\n");
+- if (valid_port(wIndex)) {
++ if (valid_port(wIndex) && ohci_at91->sfr_regmap) {
+ ohci_at91_port_suspend(ohci_at91->sfr_regmap,
+ 1);
+ return 0;
+@@ -393,7 +393,7 @@ static int ohci_at91_hub_control(struct
+
+ case USB_PORT_FEAT_SUSPEND:
+ dev_dbg(hcd->self.controller, "ClearPortFeature: SUSPEND\n");
+- if (valid_port(wIndex)) {
++ if (valid_port(wIndex) && ohci_at91->sfr_regmap) {
+ ohci_at91_port_suspend(ohci_at91->sfr_regmap,
+ 0);
+ return 0;
--- /dev/null
+From 654b404f2a222f918af9b0cd18ad469d0c941a8e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 6 Mar 2017 17:36:40 +0100
+Subject: USB: serial: io_ti: fix information leak in completion handler
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 654b404f2a222f918af9b0cd18ad469d0c941a8e upstream.
+
+Add missing sanity check to the bulk-in completion handler to avoid an
+integer underflow that can be triggered by a malicious device.
+
+This avoids leaking 128 kB of memory content from after the URB transfer
+buffer to user space.
+
+Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/io_ti.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/io_ti.c
++++ b/drivers/usb/serial/io_ti.c
+@@ -1761,7 +1761,7 @@ static void edge_bulk_in_callback(struct
+
+ port_number = edge_port->port->port_number;
+
+- if (edge_port->lsr_event) {
++ if (urb->actual_length > 0 && edge_port->lsr_event) {
+ edge_port->lsr_event = 0;
+ dev_dbg(dev, "%s ===== Port %u LSR Status = %02x, Data = %02x ======\n",
+ __func__, port_number, edge_port->lsr_mask, *data);
--- /dev/null
+From 0b1d250afb8eb9d65afb568bac9b9f9253a82b49 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 6 Mar 2017 17:36:37 +0100
+Subject: USB: serial: io_ti: fix NULL-deref in interrupt callback
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 0b1d250afb8eb9d65afb568bac9b9f9253a82b49 upstream.
+
+Fix a NULL-pointer dereference in the interrupt callback should a
+malicious device send data containing a bad port number by adding the
+missing sanity check.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/io_ti.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/serial/io_ti.c
++++ b/drivers/usb/serial/io_ti.c
+@@ -1674,6 +1674,12 @@ static void edge_interrupt_callback(stru
+ function = TIUMP_GET_FUNC_FROM_CODE(data[0]);
+ dev_dbg(dev, "%s - port_number %d, function %d, info 0x%x\n", __func__,
+ port_number, function, data[1]);
++
++ if (port_number >= edge_serial->serial->num_ports) {
++ dev_err(dev, "bad port number %d\n", port_number);
++ goto exit;
++ }
++
+ port = edge_serial->serial->port[port_number];
+ edge_port = usb_get_serial_port_data(port);
+ if (!edge_port) {
--- /dev/null
+From 30572418b445d85fcfe6c8fe84c947d2606767d8 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 6 Mar 2017 17:36:38 +0100
+Subject: USB: serial: omninet: fix reference leaks at open
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 30572418b445d85fcfe6c8fe84c947d2606767d8 upstream.
+
+This driver needlessly took another reference to the tty on open, a
+reference which was then never released on close. This lead to not just
+a leak of the tty, but also a driver reference leak that prevented the
+driver from being unloaded after a port had once been opened.
+
+Fixes: 4a90f09b20f4 ("tty: usb-serial krefs")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/omninet.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/usb/serial/omninet.c
++++ b/drivers/usb/serial/omninet.c
+@@ -142,12 +142,6 @@ static int omninet_port_remove(struct us
+
+ static int omninet_open(struct tty_struct *tty, struct usb_serial_port *port)
+ {
+- struct usb_serial *serial = port->serial;
+- struct usb_serial_port *wport;
+-
+- wport = serial->port[1];
+- tty_port_tty_set(&wport->port, tty);
+-
+ return usb_serial_generic_open(tty, port);
+ }
+
--- /dev/null
+From 8c76d7cd520ebffc1ea9ea0850d87a224a50c7f2 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 6 Mar 2017 17:36:41 +0100
+Subject: USB: serial: safe_serial: fix information leak in completion handler
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 8c76d7cd520ebffc1ea9ea0850d87a224a50c7f2 upstream.
+
+Add missing sanity check to the bulk-in completion handler to avoid an
+integer underflow that could be triggered by a malicious device.
+
+This avoids leaking up to 56 bytes from after the URB transfer buffer to
+user space.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/safe_serial.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/serial/safe_serial.c
++++ b/drivers/usb/serial/safe_serial.c
+@@ -200,6 +200,11 @@ static void safe_process_read_urb(struct
+ if (!safe)
+ goto out;
+
++ if (length < 2) {
++ dev_err(&port->dev, "malformed packet\n");
++ return;
++ }
++
+ fcs = fcs_compute10(data, length, CRC10_INITFCS);
+ if (fcs) {
+ dev_err(&port->dev, "%s - bad CRC %x\n", __func__, fcs);
projects / thirdparty / kernel / stable-queue.git / commitdiff
